From 2374e7b07fa85e6e5276f94e02930d9bf4b5e507 Mon Sep 17 00:00:00 2001 From: Kiran Bodipi <62982917+KiranBodipi@users.noreply.github.com> Date: Mon, 12 Feb 2024 18:59:36 +0530 Subject: [PATCH] Rancher checks correction (#1563) 1. Have modified test criteria such that it produces right output in case of there is no file exists. 2. Have modified the tests wherever root:root is checked multiple times. --- cfg/k3s-cis-1.23/node.yaml | 3 --- cfg/k3s-cis-1.24/node.yaml | 3 --- cfg/k3s-cis-1.7/node.yaml | 3 --- cfg/rke-cis-1.23/node.yaml | 3 --- cfg/rke-cis-1.24/node.yaml | 12 ++++++------ cfg/rke-cis-1.7/node.yaml | 3 --- cfg/rke2-cis-1.23/node.yaml | 3 --- cfg/rke2-cis-1.24/node.yaml | 3 --- cfg/rke2-cis-1.7/node.yaml | 3 --- 9 files changed, 6 insertions(+), 30 deletions(-) diff --git a/cfg/k3s-cis-1.23/node.yaml b/cfg/k3s-cis-1.23/node.yaml index 80f0c5a..c0b60df 100644 --- a/cfg/k3s-cis-1.23/node.yaml +++ b/cfg/k3s-cis-1.23/node.yaml @@ -149,9 +149,6 @@ groups: tests: test_items: - flag: root:root - compare: - op: eq - value: root:root remediation: | Run the following command to modify the ownership of the --client-ca-file. chown root:root diff --git a/cfg/k3s-cis-1.24/node.yaml b/cfg/k3s-cis-1.24/node.yaml index 3b95091..82ddff0 100644 --- a/cfg/k3s-cis-1.24/node.yaml +++ b/cfg/k3s-cis-1.24/node.yaml @@ -118,9 +118,6 @@ groups: tests: test_items: - flag: root:root - compare: - op: eq - value: root:root remediation: | Run the following command to modify the ownership of the --client-ca-file. chown root:root diff --git a/cfg/k3s-cis-1.7/node.yaml b/cfg/k3s-cis-1.7/node.yaml index 9941e6c..780bb4d 100644 --- a/cfg/k3s-cis-1.7/node.yaml +++ b/cfg/k3s-cis-1.7/node.yaml @@ -114,9 +114,6 @@ groups: tests: test_items: - flag: root:root - compare: - op: eq - value: root:root remediation: | Run the following command to modify the ownership of the --client-ca-file. chown root:root diff --git a/cfg/rke-cis-1.23/node.yaml b/cfg/rke-cis-1.23/node.yaml index 3fac4fa..ea13f94 100644 --- a/cfg/rke-cis-1.23/node.yaml +++ b/cfg/rke-cis-1.23/node.yaml @@ -111,9 +111,6 @@ groups: tests: test_items: - flag: root:root - compare: - op: eq - value: root:root remediation: | Run the following command to modify the ownership of the --client-ca-file. chown root:root diff --git a/cfg/rke-cis-1.24/node.yaml b/cfg/rke-cis-1.24/node.yaml index ce7762b..71f1b7d 100644 --- a/cfg/rke-cis-1.24/node.yaml +++ b/cfg/rke-cis-1.24/node.yaml @@ -94,27 +94,27 @@ groups: - id: 4.1.7 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)" - audit: "stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem" + audit: '/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"' tests: + bin_op: or test_items: - flag: "permissions" compare: op: bitmask value: "600" + - flag: "File not found" remediation: | Run the following command to modify the file permissions of the --client-ca-file chmod 600 scored: true - - id: 4.1.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)" - audit: "stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem" + audit: '/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"' tests: + bin_op: or test_items: - flag: root:root - compare: - op: eq - value: root:root + - flag: "File not found" remediation: | Run the following command to modify the ownership of the --client-ca-file. chown root:root diff --git a/cfg/rke-cis-1.7/node.yaml b/cfg/rke-cis-1.7/node.yaml index 8c9ec4c..ff57317 100644 --- a/cfg/rke-cis-1.7/node.yaml +++ b/cfg/rke-cis-1.7/node.yaml @@ -116,9 +116,6 @@ groups: tests: test_items: - flag: root:root - compare: - op: eq - value: root:root remediation: | Run the following command to modify the ownership of the --client-ca-file. chown root:root diff --git a/cfg/rke2-cis-1.23/node.yaml b/cfg/rke2-cis-1.23/node.yaml index 596208a..bbb015f 100644 --- a/cfg/rke2-cis-1.23/node.yaml +++ b/cfg/rke2-cis-1.23/node.yaml @@ -119,9 +119,6 @@ groups: tests: test_items: - flag: root:root - compare: - op: eq - value: root:root remediation: | Run the following command to modify the ownership of the --client-ca-file. chown root:root diff --git a/cfg/rke2-cis-1.24/node.yaml b/cfg/rke2-cis-1.24/node.yaml index bfbc24d..b99703f 100644 --- a/cfg/rke2-cis-1.24/node.yaml +++ b/cfg/rke2-cis-1.24/node.yaml @@ -119,9 +119,6 @@ groups: tests: test_items: - flag: root:root - compare: - op: eq - value: root:root remediation: | Run the following command to modify the ownership of the --client-ca-file. chown root:root diff --git a/cfg/rke2-cis-1.7/node.yaml b/cfg/rke2-cis-1.7/node.yaml index 765a3dd..155aef7 100644 --- a/cfg/rke2-cis-1.7/node.yaml +++ b/cfg/rke2-cis-1.7/node.yaml @@ -120,9 +120,6 @@ groups: tests: test_items: - flag: root:root - compare: - op: eq - value: root:root remediation: | Run the following command to modify the ownership of the --client-ca-file. chown root:root